Tab sis thaum khiav ntawm tus tswv tsev thib peb, koj yuav tsum qhia tsawg kawg yog qhov chaw nyob IP lossis tus tswv lub npe ntawm API server (tseem hu ua server server). Hauv qhov piv txwv hauv qab no, peb txhais cov kev sib txuas ntawm cov neeg rau zaub mov thiab muab nws qhov chaw nyob IP ntawm kev tswj hwm tus neeg rau zaub mov raws li txoj hlua.
class APIClientArgs:
"""
This class provides arguments for APIClient configuration.
All the arguments are configured with their default values.
"""
# port is set to None by default, but it gets replaced with 443 if not specified
# context possible values - web_api (default) or gaia_api
def __init__(self, port=None, fingerprint=None, sid=None, server="127.0.0.1", http_debug_level=0,
api_calls=None, debug_file="", proxy_host=None, proxy_port=8080,
api_version=None, unsafe=False, unsafe_auto_accept=False, context="web_api"):
self.port = port
# management server fingerprint
self.fingerprint = fingerprint
# session-id.
self.sid = sid
# management server name or IP-address
self.server = server
# debug level
self.http_debug_level = http_debug_level
# an array with all the api calls (for debug purposes)
self.api_calls = api_calls if api_calls else []
# name of debug file. If left empty, debug data will not be saved to disk.
self.debug_file = debug_file
# HTTP proxy server address (without "http://")
self.proxy_host = proxy_host
# HTTP proxy port
self.proxy_port = proxy_port
# Management server's API version
self.api_version = api_version
# Indicates that the client should not check the server's certificate
self.unsafe = unsafe
# Indicates that the client should automatically accept and save the server's certificate
self.unsafe_auto_accept = unsafe_auto_accept
# The context of using the client - defaults to web_api
self.context = context
Tus neeg saib xyuas cov ntsiab lus yuav tsis cia li nkag mus rau API server, tab sis nws yuav ua tus hu tawm thaum tawm mus. Yog tias vim qee yam tsis tas yuav tsum tau logout tom qab ua tiav kev ua haujlwm nrog API hu, koj yuav tsum pib ua haujlwm yam tsis siv tus tswj hwm cov ntsiab lus:
client = APIClient(clieng_args)
Tshawb xyuas qhov txuas
Qhov yooj yim tshaj plaws los xyuas seb qhov kev sib txuas puas ua tau raws li qhov kev txwv tsis pub siv yog siv txoj kev check_fingerprint. Yog tias qhov kev txheeb xyuas ntawm sha1 hash sum rau tus ntiv tes ntawm tus neeg rau zaub mov API daim ntawv pov thawj tsis ua tiav (tus qauv xa rov qab cuav), ces qhov no feem ntau tshwm sim los ntawm cov teeb meem kev sib txuas thiab peb tuaj yeem nres qhov kev ua tiav ntawm qhov kev pab cuam (los yog muab sijhawm rau tus neeg siv los kho cov ntaub ntawv txuas):
if client.check_fingerprint() is False:
print("Could not get the server's fingerprint - Check connectivity with the server.")
exit(1)
Thov nco ntsoov tias yav tom ntej hauv chav kawm APIClient yuav xyuas txhua API hu (txoj kev api_call ΠΈ api_query, peb mam li tham txog lawv me ntsis ntxiv) sha1 daim ntawv pov thawj ntiv tes ntawm API server. Tab sis yog tias, thaum kuaj xyuas sha1 ntiv tes ntawm API server daim ntawv pov thawj, kuaj pom qhov yuam kev (daim ntawv pov thawj tsis paub lossis tau hloov pauv), txoj kev check_fingerprint yuav muab lub sijhawm los ntxiv / hloov cov ntaub ntawv hais txog nws ntawm lub tshuab hauv zos tau txais. Qhov kev kuaj no tuaj yeem ua tsis taus tag nrho (tab sis qhov no tsuas yog pom zoo yog tias cov ntawv sau tau khiav ntawm API server nws tus kheej, thaum txuas rau 127.0.0.1), siv APIClientArgs kev sib cav - unsafe_auto_accept (saib ntxiv txog APIClientArgs ua ntej hauv "Txhais kev sib txuas tsis tau").
Kev xaiv siv tus yuam sij api (txhawb pib los ntawm kev tswj hwm version R80.40 / Tswj API v1.6, "3TsbPJ8ZKjaJGvFyoFqHFA==" qhov no yog API tus nqi tseem ceeb rau ib tus neeg siv ntawm kev tswj hwm server nrog API qhov tseem ceeb tso cai txoj kev):
Tom qab ntawd koj tuaj yeem siv cov kev hloov pauv thiab cov txheej txheem ntawm chav kawm APIResponse(ob qho tib si hauv tus neeg saib xyuas cov ntsiab lus thiab sab nraud). Ntawm chav kawm APIResponse 4 txoj hauv kev thiab 5 qhov sib txawv tau txhais ua ntej; peb yuav nyob ntawm qhov tseem ceeb tshaj plaws hauv kev nthuav dav ntxiv.
kev vam meej
Pib nrog, nws yuav yog ib lub tswv yim zoo kom paub tseeb tias API hu ua tiav thiab xa rov qab cov txiaj ntsig. Muaj ib txoj hauv kev rau qhov no kev vam meej:
In [49]: api_versions.success
Out[49]: True
Rov qab muaj tseeb yog tias API hu ua tiav (cov lus teb chaws - 200) thiab False yog tias tsis ua tiav (ib qho lus teb rau lwm tus). Nws yog qhov yooj yim los siv tam sim tom qab hu API los tso saib cov ntaub ntawv sib txawv nyob ntawm cov lus teb.
if api_ver.success:
print(api_versions.data)
else:
print(api_versions.err_message)
Nyob rau hauv rooj plaub no, nws yuav tsum tau hloov tus nqi ntawm qhov kev vam meej. Technically, koj tuaj yeem muab txhua yam nyob ntawd, txawm tias ib txoj hlua tsis tu ncua. Tab sis ib qho piv txwv tiag tiag yuav rov pib qhov ntsuas no mus rau False nyob rau hauv qee qhov xwm txheej nrog. Hauv qab no, ua tib zoo saib rau qhov piv txwv thaum muaj cov haujlwm ua haujlwm ntawm kev tswj hwm server, tab sis peb yuav xav txog qhov kev thov no ua tsis tiav (peb yuav teeb tsa qhov kev vam meej rau cuav, txawm tias qhov tseeb tias API hu tau zoo thiab xa rov qab code 200).
for task in task_result.data["tasks"]:
if task["status"] == "failed" or task["status"] == "partially succeeded":
task_result.set_success_status(False)
break
teb ( )
Txoj kev teb tso cai rau koj saib phau ntawv txhais lus nrog cov lus teb (status_code) thiab lub cev teb (lub cev).
Cov ntaub ntawv no tsuas yog muaj thaum muaj kev ua yuam kev thaum ua qhov kev thov API (cov lus teb tsis 200). Piv txwv tso zis
In [107]: api_versions.error_message
Out[107]: 'code: generic_err_invalid_parameter_namenmessage: Unrecognized parameter [1]n'
Cov piv txwv muaj txiaj ntsig
Cov hauv qab no yog cov piv txwv uas siv API hu uas tau ntxiv hauv Management API 1.6.
Ua ntej, cia peb saib seb kev hu ua haujlwm li cas add-host ΠΈ add-address-range. Cia peb hais tias peb yuav tsum tsim txhua tus IP chaw nyob ntawm subnet 192.168.0.0/24, lub xeem octet uas yog 5, raws li cov khoom ntawm hom tswv tsev, thiab sau tag nrho lwm qhov chaw nyob IP raws li cov khoom ntawm qhov chaw nyob ntau hom. Hauv qhov no, tshem tawm qhov chaw nyob subnet thiab chaw nyob tshaj tawm.
Yog li, hauv qab no yog tsab ntawv uas daws qhov teeb meem no thiab tsim 50 yam khoom ntawm hom tswv tsev thiab 51 cov khoom ntawm qhov chaw nyob hom. Txhawm rau daws qhov teeb meem, 101 API hu yuav tsum tau (tsis suav qhov kawg tshaj tawm hu). Tsis tas li ntawd, siv timeit module, peb xam lub sijhawm nws yuav siv los ua cov ntawv kom txog thaum cov kev hloov pauv tau luam tawm.
Script siv add-host thiab add-address-range
import timeit
from cpapi import APIClient, APIClientArgs
start = timeit.default_timer()
first_ip = 1
last_ip = 4
client_args = APIClientArgs(server="192.168.47.240")
with APIClient(client_args) as client:
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==')
for ip in range(5,255,5):
add_host = client.api_call("add-host", {"name" : f"h_192.168.0.{ip}", "ip-address": f'192.168.0.{ip}'})
while last_ip < 255:
add_range = client.api_call("add-address-range", {"name": f"r_192.168.0.{first_ip}-{last_ip}", "ip-address-first": f"192.168.0.{first_ip}", "ip-address-last": f"192.168.0.{last_ip}"})
first_ip+=5
last_ip+=5
stop = timeit.default_timer()
publish = client.api_call("publish")
print(f'Time to execute batch request: {stop - start} seconds')
Hauv kuv qhov chaw kuaj mob, tsab ntawv no yuav siv sijhawm li ntawm 30 thiab 50 vib nas this los ua kom tiav, nyob ntawm kev thauj khoom ntawm kev tswj xyuas server.
Tam sim no cia saib yuav ua li cas daws qhov teeb meem tib yam siv API hu add-objects-batch, kev txhawb nqa uas tau ntxiv hauv API version 1.6. Qhov kev hu no tso cai rau koj los tsim ntau yam khoom ib zaug hauv ib qho kev thov API. Ntxiv mus, cov no tuaj yeem yog cov khoom sib txawv (piv txwv li, hosts, subnets thiab qhov chaw nyob). Yog li, peb txoj haujlwm tuaj yeem daws tau nyob rau hauv lub moj khaum ntawm ib qho API hu.
Script siv add-objects-batch
import timeit
from cpapi import APIClient, APIClientArgs
start = timeit.default_timer()
client_args = APIClientArgs(server="192.168.47.240")
objects_list_ip = []
objects_list_range = []
for ip in range(5,255,5):
data = {"name": f'h_192.168.0.{ip}', "ip-address": f'192.168.0.{ip}'}
objects_list_ip.append(data)
first_ip = 1
last_ip = 4
while last_ip < 255:
data = {"name": f"r_192.168.0.{first_ip}-{last_ip}", "ip-address-first": f"192.168.0.{first_ip}", "ip-address-last": f"192.168.0.{last_ip}"}
objects_list_range.append(data)
first_ip+=5
last_ip+=5
data_for_batch = {
"objects" : [ {
"type" : "host",
"list" : objects_list_ip
}, {
"type" : "address-range",
"list" : objects_list_range
}]
}
with APIClient(client_args) as client:
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==')
add_objects_batch = client.api_call("add-objects-batch", data_for_batch)
stop = timeit.default_timer()
publish = client.api_call("publish")
print(f'Time to execute batch request: {stop - start} seconds')
Thiab khiav cov ntawv no hauv kuv qhov chaw kuaj mob yuav siv sijhawm li 3 mus rau 7 vib nas this, nyob ntawm qhov kev thauj khoom ntawm kev tswj xyuas server. Ntawd yog, qhov nruab nrab, ntawm 101 API cov khoom, batch hom hu khiav 10 zaug sai dua. Ntawm cov khoom loj dua qhov sib txawv yuav ua tau zoo dua.
Tam sim no cia saib yuav ua li cas ua haujlwm nrog set-objects-batch. Siv qhov kev hu API no, peb tuaj yeem hloov pauv txhua qhov kev txwv. Cia peb teeb tsa thawj ib nrab ntawm qhov chaw nyob los ntawm qhov piv txwv yav dhau los (txog .124 hosts, thiab ntau yam dhau los) rau cov xim sienna, thiab muab cov xim khaki rau ib nrab ntawm qhov chaw nyob.
from cpapi import APIClient, APIClientArgs
client_args = APIClientArgs(server="192.168.47.240")
objects_list_ip_first = []
objects_list_range_first = []
objects_list_ip_second = []
objects_list_range_second = []
for ip in range(5,125,5):
data = {"name": f'h_192.168.0.{ip}', "color": "sienna"}
objects_list_ip_first.append(data)
for ip in range(125,255,5):
data = {"name": f'h_192.168.0.{ip}', "color": "khaki"}
objects_list_ip_second.append(data)
first_ip = 1
last_ip = 4
while last_ip < 125:
data = {"name": f"r_192.168.0.{first_ip}-{last_ip}", "color": "sienna"}
objects_list_range_first.append(data)
first_ip+=5
last_ip+=5
while last_ip < 255:
data = {"name": f"r_192.168.0.{first_ip}-{last_ip}", "color": "khaki"}
objects_list_range_second.append(data)
first_ip+=5
last_ip+=5
data_for_batch_first = {
"objects" : [ {
"type" : "host",
"list" : objects_list_ip_first
}, {
"type" : "address-range",
"list" : objects_list_range_first
}]
}
data_for_batch_second = {
"objects" : [ {
"type" : "host",
"list" : objects_list_ip_second
}, {
"type" : "address-range",
"list" : objects_list_range_second
}]
}
with APIClient(client_args) as client:
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==')
set_objects_batch_first = client.api_call("set-objects-batch", data_for_batch_first)
set_objects_batch_second = client.api_call("set-objects-batch", data_for_batch_second)
publish = client.api_call("publish")
Koj tuaj yeem rho tawm ntau yam khoom hauv ib qho API hu siv delete-objects-batch. Tam sim no cia saib ib qho piv txwv code uas tshem tawm tag nrho cov tswv tsim yav dhau los ntawm add-objects-batch.
Rho tawm cov khoom siv delete-objects-batch
from cpapi import APIClient, APIClientArgs
client_args = APIClientArgs(server="192.168.47.240")
objects_list_ip = []
objects_list_range = []
for ip in range(5,255,5):
data = {"name": f'h_192.168.0.{ip}'}
objects_list_ip.append(data)
first_ip = 1
last_ip = 4
while last_ip < 255:
data = {"name": f"r_192.168.0.{first_ip}-{last_ip}"}
objects_list_range.append(data)
first_ip+=5
last_ip+=5
data_for_batch = {
"objects" : [ {
"type" : "host",
"list" : objects_list_ip
}, {
"type" : "address-range",
"list" : objects_list_range
}]
}
with APIClient(client_args) as client:
login = client.login_with_api_key('3TsbPJ8ZKjaJGvFyoFqHFA==')
delete_objects_batch = client.api_call("delete-objects-batch", data_for_batch)
publish = client.api_call("publish")
print(delete_objects_batch.data)
Tag nrho cov haujlwm uas tshwm sim hauv kev tshaj tawm tshiab ntawm Check Point software tam sim tau txais API hu. Yog li, hauv R80.40 xws li "tus yam ntxwv" raws li Rov qab mus rau kev kho dua tshiab thiab Kev Ua Haujlwm Ntsej Muag tau tshwm sim, thiab cov kev hu API sib raug tau npaj tam sim rau lawv. Ntxiv mus, tag nrho cov kev ua haujlwm thaum tsiv ntawm Legacy consoles mus rau Unified Policy hom kuj tau txais API kev txhawb nqa. Piv txwv li, qhov hloov tshiab tau tos ntev hauv software version R80.40 yog qhov txav ntawm HTTPS Txoj Cai Tshawb Fawb los ntawm Txoj Cai Lij Choj mus rau Txoj Cai Sib Koom Tes, thiab qhov haujlwm no tau txais API hu tam sim. Ntawm no yog ib qho piv txwv ntawm cov cai uas ntxiv txoj cai rau txoj haujlwm saum toj kawg nkaus ntawm HTTPS Txoj Cai Tshawb Fawb uas tsis suav nrog 3 pawg los ntawm kev tshuaj xyuas (Kev Noj Qab Haus Huv, Nyiaj Txiag, Kev Pabcuam Tseemfwv), uas raug txwv tsis pub tshuaj xyuas raws li txoj cai hauv ntau lub tebchaws.
from __future__ import print_function
import getpass
import sys, os
sys.path.append(os.path.abspath(os.path.join(os.path.dirname(__file__), '..')))
from cpapi import APIClient, APIClientArgs
def main():
with APIClient() as client:
# if client.check_fingerprint() is False:
# print("Could not get the server's fingerprint - Check connectivity with the server.")
# exit(1)
login_res = client.login_as_root()
if login_res.success is False:
print("Login failed:n{}".format(login_res.error_message))
exit(1)
gw_name = raw_input("Enter the gateway name:")
gw_ip = raw_input("Enter the gateway IP address:")
if sys.stdin.isatty():
sic = getpass.getpass("Enter one-time password for the gateway(SIC): ")
else:
print("Attention! Your password will be shown on the screen!")
sic = raw_input("Enter one-time password for the gateway(SIC): ")
version = raw_input("Enter the gateway version(like RXX.YY):")
add_gw = client.api_call("add-simple-gateway", {'name' : gw_name, 'ipv4-address' : gw_ip, 'one-time-password' : sic, 'version': version.capitalize(), 'application-control' : 'true', 'url-filtering' : 'true', 'ips' : 'true', 'anti-bot' : 'true', 'anti-virus' : 'true', 'threat-emulation' : 'true'})
if add_gw.success and add_gw.data['sic-state'] != "communicating":
print("Secure connection with the gateway hasn't established!")
exit(1)
elif add_gw.success:
print("The gateway was added successfully.")
gw_uid = add_gw.data['uid']
gw_name = add_gw.data['name']
else:
print("Failed to add the gateway - {}".format(add_gw.error_message))
exit(1)
change_policy = client.api_call("set-access-layer", {"name" : "Network", "applications-and-url-filtering": "true", "content-awareness": "true"})
if change_policy.success:
print("The policy has been changed successfully")
else:
print("Failed to change the policy- {}".format(change_policy.error_message))
change_rule = client.api_call("set-access-rule", {"name" : "Cleanup rule", "layer" : "Network", "action": "Accept", "track": {"type": "Detailed Log", "accounting": "true"}})
if change_rule.success:
print("The cleanup rule has been changed successfully")
else:
print("Failed to change the cleanup rule- {}".format(change_rule.error_message))
# publish the result
publish_res = client.api_call("publish", {})
if publish_res.success:
print("The changes were published successfully.")
else:
print("Failed to publish the changes - {}".format(install_tp_policy.error_message))
install_access_policy = client.api_call("install-policy", {"policy-package" : "Standard", "access" : 'true', "threat-prevention" : 'false', "targets" : gw_uid})
if install_access_policy.success:
print("The access policy has been installed")
else:
print("Failed to install access policy - {}".format(install_tp_policy.error_message))
install_tp_policy = client.api_call("install-policy", {"policy-package" : "Standard", "access" : 'false', "threat-prevention" : 'true', "targets" : gw_uid})
if install_tp_policy.success:
print("The threat prevention policy has been installed")
else:
print("Failed to install threat prevention policy - {}".format(install_tp_policy.error_message))
# add passwords and passphrases to dictionary
with open('additional_pass.conf') as f:
line_num = 0
for line in f:
line_num += 1
add_password_dictionary = client.api_call("run-script", {"script-name" : "Add passwords and passphrases", "script" : "printf "{}" >> $FWDIR/conf/additional_pass.conf".format(line), "targets" : gw_name})
if add_password_dictionary.success:
print("The password dictionary line {} was added successfully".format(line_num))
else:
print("Failed to add the dictionary - {}".format(add_password_dictionary.error_message))
main()